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Abstract 

It has been shown that Information-Disturbance theorem can play an 
important role in security proof of quantum cryptography. The theorem 
is by itself interesting since it can be regarded as an information theo- 
retic version of uncertainty principle. It, however, has been able to treat 
restricted situations. In this paper, the restriction on the source is aban- 
doned, and a general information-disturbance theorem is obtained. The 
theorem relates information gain by Eve with information gain by Bob. 

1 Introduction 

In 1984, Bennett and BrassardfT proposed a protocol to realize key distribu- 
tion that uses quantum theory in its essential part. In spite of simplicity of 
the protocol, its unconditional security proof[ll [SI SI [S] appeared more than a 
decade later after its proposal. Among the various existing proofs, a proof by 
Biham et al.[S] employs a so-called information-disturbance theorem [51 [71 [HI H] 
that can be regarded as an information theoretical version of the uncertainty 
relation. We, in [lOj . succeeded in deriving an improved variation of the theo- 
rem. Our theorem expressed a relation between information gain by Eve and 
randomness of error contained in Bob's data. Although it has a natural form, 
its applicability is still restricted. In fact the state prepared by Alice has to be 
ensembles consisting of pure states with even probability. In this paper, we get 
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rid of this strong condition and show fairly generahzed form of the information- 
disturbance theorem. AUce prepares an arbitrary state by one of two different 
ensembles. That is, Alice chooses one of two random variables to be encoded. 
Each ensemble does not need to consist of distinguishable states. Our new 
information-disturbance theorem represents a relation between Eve's informa- 
tion gain and Bob's information gain. According to the theorem, if Eve employs 
an attack that gives her large information on an encoded random variable, Bob 
could obtain small information on another random variable. This trade-off is 
determined by noncommutativity between the ensembles. The theorem is de- 
rived by using remote ensemble preparation technique and entropic uncertainty 
relation. These technique also allows us to obtain a simple derivation of the 
result in [10]. In sectioiJH we give a brief review on positive operator valued 
measure and entropic uncertainty relation that play central roles in our proof. 
In sectior(3l we introduce a method to prepare remotely an ensemble of quantum 
states by making a proper measurement on predistributed quantum state. In 
sectior(31 our main theorems are presented. 

2 Preliminaries 

We begin with a brief introduction of relevant notions in quantum theory: pos- 
itive operator valued measure and entropic uncertainty relation. 

2.1 Positive Operator Valued Measure (POVM) 

A quantum system is described by a Hilbert space and operators acting on 
it. The most general observable is represented by a positive operator valued 
measure (POVM) (see, e.g. [H]). A positive operator valued measure A{-) is a 
map from measurable space (f^,^) to a set of positive operators satisfying: 

(i) For all Si,S2 e T satisfying 5*1 n ^2 = 0, A{Si U 5*2) = A{Si) + A{S2) 
holds. 

(ii) A{n) = 1 holds. 

Hereafter we treat only the case that the measurable set is a finite set. Therefore 
the conditions above can be rephrased as follows. A POVM is a family of 
positive operators {^ajaen satisfying J2aen^a = 1- Each a £ Q corresponds 
to a measurement outcome. A POVM is called as a projection valued measure 
(PVM) if Aa is a projection operator for all a S O. A state is described by 
a so-called density operator. A density operator p is defined by an operator 
satisfying p > and trp =1. If one measures an observable A = {Aq} in a 
state p, one obtains an outcome a with probability ti{pAa)- From a POVM 
A = {Aa] one can construct a self adjoint operator A := X^aen^^a- This 
operator is useful since it gives the expectation value for the measurements so 
that {A)p = tr{pA). For PVM, the standard deviation can be calculated as 

AA, = ((i2),-(i)2)l/2. 
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2.2 Entropic Uncertainty Relation 

As is widely known, the uncertainty relation is the most fundamental result 
of quantum theory. It, in general, is expressed by an inequality. The uncer- 
tainty relation treats two (or more) observables. Incompatibility of probability 
distributions of their measurement outcomes is bounded by noncommutativity 
between them. The most famous one is the Robertson-type uncertainty relation 
for PVMs: 

AApABp > itr(p[i,B])| 

where AAp (ABp) represents standard deviation of the outcome of the corre- 
sponding observables. However, to characterize randomness of measurement 
outcomes, the standard deviation is often insufficient. The standard deviation 
depends on how to assign a value of measurement outcome to each event. For 
instance, let us imagine an observable which takes 0, 1 and 2 as its value of 
measurement outcome. If a state gives an outcome or 1 with probability 1/2, 
its standard deviation is 1/2. On the other hand, if we shuffie the values of 
outcome so that the new observable takes an outcome or 2 with probability 
1/2, its standard deviation becomes 1. In addition, the above Robertson-type 
formulation cannot deal with the most general type of measurement, positive 
operator value measure (POVM) measurement. The entropic uncertainty rela- 
tion can cover this type of measurement and is of advantage to its application. 
It has the following form: 

H{A\p) + H{B\p) > ~21ogmax||Ay2si/2||^ 

a,o 

where A := {Aa} and B {Bb} are POVMs and H{A\p) {H{B\p)) represents 
Shannon entropy of the probability distribution of the measurement outcome 
of A (B) in a state p, i.e., H{A\p) = - X^aeJi ^''(p^q) logtr(P^a)- This type 
of uncertainty relation was ffi'st proposed by Dcutsch[12j and was improved by 
Maassen and UffinkJJij. The above general form for POVMs was obtained by 
Krishna and Parthasarathv[H| . 

3 Remote Ensemble Preparation 

In this section we explain a way to prepare an ensemble of quantum states on 
a remotely located quantum system by using predistributed entangled state. It 
plays an essential role to prove impossibility of the bit commitment. It has been 
used to translate the BB84 quantum key distribution into E91 quantum key dis- 
tribution. The theorem was first proved by Hughston, Jozsa and Wootters|15j. 
and generalized by Halvorson|16j for the most general quantum system includ- 
ing infinite systems. We, in this paper, treat only finite quantum systems that 
are described by finite dimensional Hilbert spaces. Suppose there exist two 
characters: Alice and Bob. Each of them has a quantum system. The system 
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possessed by Aliee (Bob) is ealled as system A (system B). Alice (Bob) can ma- 
nipulate only the system A (system B). The system A (system B) is described 
by a Hilbert space Ha (J^b)- We assume that they have an identical finite 
dimension. Ha — Hb — C'^ . Wc consider a method to prepare an ensemble 
of states on the system B by Alice's operation on a predistributed entangled 
state 1$). A normalized vector of the composite system, |$) e Ha ®Hb, can 
be written as, thanks to Schmidt decomposition theorem, 

k 

where {|e^)} ({jel')}) is an orthonormal basis oi Ha {Hb)- Wc hereafter fix a 
normalized vector |$) and its corresponding basis. Ha and Hb are identified 
with respect to these basis. We write its reduced state on each system as, 

= Y.>^k\et){et\ 

k 
k 

When wc identify these two Hilbert space, wc simply write them as p{= p'^ = 
p^). Suppose that the state p^ can be decomposed into a mixture of the states 
as p^ = "^iPipf, where pf is a state of the system A for each i and {pi} 
satisfies J^iPi — 1 ^^"^ Pi — ^- Hereafter, for simplicity, we assume rank/? = TV. 
In the following, we consider a measurement by Alice that prepares the state Pi 
with the probability pi on the system B attached to Bob. We define transpose 
operation with respect to the basis {|e^)}. Since the transpose operation A i— > 
*A preserves the positivity of the operator, a family of operators, 

F[{Pj,Pj}\ ■■= {F[{Pj,Pj}]i} ■■= {PiP-'^' 'Pip-'^'} (1) 

forms a POVM. Let us take the state |$) and consider an a-postcriori state 
with respect to the POVM F[{pj, pj}]. A probability to obtain an outcome i is 
calculated as 

($|J^[fe,p,}]|$) = ^Xk{et\F[{p„p,}]i\et) 

k 

= Y.^kPiket\p-'l''pip-'IM) 

k 

= pjtr(/9p"^/^/9ip"^/^) = Pi. 

Since Alice does not make any operation on the system B, the a-posteriori state 
of the system B for the outcome i is calculated as /pi. Since 

for each operator A on Hb, 

k,l 
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= \^M\P~'^^PiP~'^^H){ek\A\ei) 

k,l 

= Pitr{piA) 

holds, where we used a relation *p = p, the a-posteriori state of the system B 
is Pi. We thus proved the following theorem. 

Theorem 1 Suppose that there exist Hilbert spaces Ha, Hb and a normal- 
ized vector 1$) G Ha ® Hb- Assume that the reduced density operator p := 
ir^^jj (I can be decomposed into a mixture of states as, p = ^^Pipi- There 
exists a POVM F[{pj , pj}] = {F[{pj,pj}]i on Ha that prepares the ensemble 
{pi,Pi} on Hb- That is, the probability to obtain an outcome i is pi, and the 
a-posteriori state o/Hb then is pi. 

4 Information-Disturbance theorem 

In this section, we derive two types of Information-Disturbance theorem. Both 
treat a cryptographic setting. The first one relates information gain by Eve with 
information gain by Bob. The second one relates information gain by Eve with 
randomness of error contained in Bob's outcome. 

4.1 Information v.s. Information 

We deal with a quantum cryptographic setting. It is a simplified version of 
the BB84 protocol. Three characters: Alice, Bob, and Eve, play their roles. 
Alice has a quantum system described by an iV-dimcnsional Hilbert space, Ha- 
She prepares a state p of this system in one of the two different methods: (a) 
she prepares a state pi with probability pi for each i, or (b) she prepares a 
state CTj with probability qi for each I. To assure that both procedures actually 
give the state p, we impose a condition, p = J2iPiPi = J2i li'^i- We write X 
(Y) a random variable whose value takes i (l) with the probability pi (qi). The 
preparation can be regarded as encoding AT or y to the state p. The full protocol 
runs as follows: 

(i) Alice chooses one of the two methods, (a) or (b), to prepare the state p. 

(ii) Alice prepares the state p according to her choice on the method. That 
is, Alice encodes X or F to the state. 

(iii) Alice sends the system to Bob. 

(iv) After confirming that Bob has actually received the system, Alice pub- 
lishes the method ((a) or (b)) which she employed to prepare the state 
P- 

(v) Bob makes a measurement on his received system to extract the encoded 
information. We write Hilbert space of the received system asHs instead 
of Ha for convenience. 
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Note that even if there is no eavesdropper between Ahce and Bob, Bob does not 
obtain in general the full information Alice has encoded. That is, the encoding 
employed by Alice may be ambiguous one. pi and pj for i ^ j may not be 
distinguishable perfectly. In the following we will see that Eve's eavesdropping 
in addition makes Bob's information gain less. Let us see what Eve can do. Eve 
who wants to obtain information encoded by Alice can make her own apparatus 
interact with TIa when it is sent to Bob. She may keep the apparatus and only 
after knowing Alice's announcement, may make a measurement on it to obtain 
a classical output. Denote I-Le the Hilbert space of Eve's apparatus. Eve's 
operation is described by a unitary operator U : I-Lb ® 'He ^ 'Hb ® 'He- ^ 
state of the apparatus before the interaction is written as |0) e He- Without 
loss of generality, we can assume it as vector state. Eve's attack is determined 
by the triplet, (7i_E, U). After Alice's announcement. Eve tries to make an 
optimal measurement Z, a POVM, on her apparatus to extract the encoded 
information. What we are interested in is the trade-off between the information 
gain by Bob and one by Eve. Let us suppose a fixed Eve's attack {He: \^): U). 
We define I{X : B) as optimal information gain by Bob on random variable X. 
That is, if Alice has encoded X to the quantum state and Eve employs an attack 
{He, \^)iU), Bob's optimal information gain on X is I{X : B). In the same 
manner, I{Y : B) is defined as information gain by Bob on random variable Y . 
I{y : E), on the other hand, is defined as optimal information gain by Eve on 
Y if Alice has encoded Y to the quantum state p and Eve employs the attack 
{He, \^), U). I{X : E) is defined as optimal information gain by Eve on X. 

Theorem 2 For a fixed Eve's attack (Ti^, i7), the following inequalities 
hold: 

I{X : B) + I{Y : E) < H{X) + H{Y) + 2\ogm^x\\F[{p„ p,}]'/'F[{qi,ai}]'J\ 
I{X : E)+I{Y : B) < H{X) + H{Y) + 2\ogm^x\\F[{p,, p,}]'/'F[{qi,ai}]'J\ 

where POVMs, F[{pj, pj}] and F[{qi,aiY\ are defined by (Qp. 
Proof: 

To calculate Bob's and Eve's information gain, we construct an appropriate 
probability distribution. We apply the remote ensemble preparation technique. 
Suppose that p can be diagonalized as p = ^k\e^){e'^\ and thus {|e^} forms 
a basis of Ha- We introduce {|ef )}, a basis of Hb and use {|e^}} and {|ef )} 
to identify both Hilbert spaces. Let us introduce a virtual entangled state on 
Ha ®Hb- ^ normalized vector |$} G Ha ®Hb '^s defined as, 

1$) :=^VAl|e^)®|ef). 

k 

As we have explained, this state can be used for the remote ensemble prepara- 
tion in case of existence of Eve. In fact, if Alice operates a POVM F[{pi, pi]] 
{F[{qi^aiY\) on this state. Bob obtains a state pi (ai) with probability pi (qi). 
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The effect Eve gives on it can be included by defining a new state, 

I*) := (1 [/)!$) 

If Alice applies a POVM F[{pi, pi}] (F[{qi,(Ti}]) on this state, she obtains an 
outcome i {1} with probability pi (qi) and the state of Bob and Eve then is U{pi® 
\n){Q\)U* {U{ai (g) \n){n\)U*). Let us consider arbitrary POVMs B := {Bb} 
of Bob's and Z := {Z^} of Eve's. We write the random variable representing 
the outcome of Bob's (Eve's) measurement also as B (Z). A-posteriori state 
PB=b z=z °^ with respect to these POVMs is written as 

for an arbitrary operator A on Ha- We apply the cntropic uncertainty relation 
to this state. The observables to be concerned are POVMs: F[{pj,pj}] and 
F[{qi,(Ji}]. We obtain, 

H{X\B = b,Z = z) + H(Y\B ^b,Z = z)> -21ogmax \\F[{p„ p,}]'/^ F[{qi, ai}]l^'\ 

Subtracting H{X)+H(Y) from both sides and summing them up with {^\Bi)Zz\^), 
we obtain, 

I{X : B,Z) + I{Y : B,Z) < H{X) + H{Y) 

+21ogmax||F[fe-,p,}]yV[{gj,a,}]^/2||. 

Using I{X : B) < I{X : B, Z) and I{Y : Z) < I{Y : B, Z), or I{X : Z) < I{X : 
B, Z) and I{Y : B) < I{Y : B, Z) we obtain, 

I{X : B) + I{Y : Z) < H{X) + H{Y) + 2logmf,\\F[{p, , p,}]^^ F[{qi, ai}]'J'l 
I{X : Z) + I{Y : B) < H{X) + H{Y) +2logma^\\F[{pj,pj}]y'F[{qi,ai}]l/'\\. 

Since the POVMs B and Z are arbitrary, we can take the optimal one for both. 
Q.E.D. 

This theorem gives nontrivial bounds if POVMs F[{pj,pj}] and F[{qi,ai}] 
do not commute with each other. That is, when Eve employs an operation that 
should yield herself to obtain large information if the encoded random variable 
was Y {X), Bob cannot obtain large information on X (Y) that was actually 
employed by Alice. 

Let us consider the simplest example. The system consists of Af-qubits. p is 
the maximally mixed state, p = Each bit has two natural basis correspond- 
ing to the eigenvectors of CTz and (Jx- Let b be an element of [z, x}^. b naturally 
determines a basis of A^-qubit and an observable X\b\ that is diagonalized by 
this basis. We write 6, the conjugate basis of b. It is defined by exchange all z 
{x) to X {z). We write its corresponding observable as In this situation, 

we obtain, 

I{X[b] :B)+/(A[6] ■.E)<N. 
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4.2 Information v.s. Randomness of Error 

In [T^ we derived a theorem [I^ that relates information gain by Eve and ran- 
domness of error contained in Bob's data. Its derivation, however, rehed upon 
symmetrization technique and Holevo bound, and was comphcated. We here 
give another simple proof of the theorem by the remote ensemble preparation 
technique and the entropic uncertainty relation. 

Let us first begin with the setting. It is a special case of the above general 
one. Let us consider two pairs of orthogonal states, {|0), |1)} and its conjugate 
{|0), |1)} in C^. They are assumed mutually unbiased and thus 

\m\' = l 

holds for each i,j = 0,1. Alice has A^-qubits described by a Hilbert space 
Ha = (g) • ■ • (g) {N times). For each i = iii2 ■■ - in e {0, 1}^, we 
write \i) = \ii) (g) [12) g) • ■ • (g jiAf) and \i) := |ji} (g |?2} ® ■ ■ ■ (8) |«Ar). She prepares a 
maximally mixed state p = ^ of this system in one of the two different methods: 
(a) she prepares a state with probability 277- for each i G {0, 1}^, or (6) 
she prepares a state with probability ^tt for each j G {0, 1}^. We write 

a random variable A which takes value i £ {0, 1}^ with probability ^tj-- Alice 
encodes this random variable to quantum state p by one of the methods (a) or 
(6). 

(i) Alice first selects (a) or (b) which is used to encode a random number. 

(ii) Alice encodes the random variable A to the state p ~ ^ according to 
her choice on the method. That is, if she has chosen (a), Alice prepares 

with probability On the other hand, if her choice was (6), she 
prepares with probability 

(iii) Alice sends the system to Bob. 

(iv) Alice, after confirming that Bob actually has received A^-qubits, informs 
him of the method ((a) or (6)) she used. 

(v) Bob makes a measurement with respect to the basis and obtains an out- 
come. Let us write B the random variable representing this outcome. If 
there is no eavesdropper, A — B naturally follows. 

Eve wants to obtain the information of the random variable A. For the purpose. 
Eve prepares an apparatus and makes it interact with the A^-qubits sent to Bob 
by Alice. Denote He the Hilbert space of Eve's apparatus. Eve's operation 
is described by a unitary operator U : Hb He ~^ Hb He ■ state of the 
apparatus before the interaction is written G He- Thus Eve's attack is 
determined by the triplet, {He, \^), U). After the publication of the basis. Eve 
tries to make an optimal measurement Z = {Zz}-, a POVM (positive operator 
valued measure), on her apparatus to extract the information of A. 
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What wc arc interested in is the trade-off between the information gain by 
Eve and the errors contained in Bob's outcome. Let us suppose a fixed Eve's 
attack. We define I{A : E\a) as Eve's optimal information gain on A if Alice 
has chosen the method (a) for encoding. I{A : E\b) is defined as Eve's optimal 
information gain on A if Alice has chosen the method (&). We can show the 
following theorem. 

Theorem 3 Information gain by Eve inevitably makes Bob's data in another 
basis random. More precisely, for the fixed Eve's attack {He,\^),U), the fol- 
lowing inequality holds: 

I{A:E\a)<H{A®B\b), 

where H{A © B\a) is the Shannon entropy of the error contained in Bob's out- 
come when Alice has chosen the method (a) for encoding. 

Proof: For the proof, we employ the remote ensemble preparation technique. 
Since the state prepared by Alice is maximally mixed state, the relevant entan- 
gled state of Wa<8iWs is maximally entangled state: |$) := \i) \i). The 
effect of Eve's attack can be included by defining a new state, 

I*) := (l(g)[/)|$)(8)|f2). 

Now suppose that Eve employed a POVM Z := {Z^} and obtained a value z. We 
write a-postcriori state on Ha (E)Ti.B- To this state, we apply the entropic 
uncertainty relation. To introduce relevant POVMs, we fix a basis to define 
transpose operation as {\i)}. It is convenient to introduce a new basis {\i)} as 
|i) := J2j Ill f^ct, the transposition of \i){i\ = J2j k b')0'l*)(^l^)(^l ^i^h 

respect to the basis {\i)) can be simply written as, Let us define observ- 

ables Fa and Fa on Ha as Fa ■= I]iG{o,i}" ^^'^ ^A. ~ I]»g{o,i}" 
Let us define observable G-g- on Hb as G-g- := Observables to be 

treated are F-j © G-g- = lEi that gives probability distribution for A © B in 
(6) and Fa^I = ^jjPj that gives probability distribution for A in (a). The 
following inequality holds: 

H{F^(B G^\Z = z) + H{Fa 1\Z = z) > -21og(^max||i;(Pj||^ . (2) 

Thus we must estimate From 

F-j®G^ = ^l\i){i\ » \i®l){i®l\, 
l,i 

we obtain Ei = ® |i © l){i © Therefore 

EiP^ = li)(ili)01 ® \i®i)(J®i\ 
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holds. To estimate the norm of this operator, we introduce a normahzed vector 
I*) J2ku ^ku\k) (8) \u) and apply EiPj on it. 

i 

gives 

i 

< max|(i|i)P V lajiezP 

i 

< max|(i|j)p. 
Thanks to \{i\j) \ = we obtain 

max||£;,P,||< (1)^/2. 

Application of this inequality to ^ leads us 

H{Fj® Gg\Z ^ z) + H{Fa (E> 1\Z = z) >N 
Taking an average with respect to z and adding N to both sides, we obtain 

I{A : Z\a) < H{A®B\h). 
Since the POVM Z is arbitrary, we obtain the theorem. Q.E.D. 

5 Summary 

In conclusion, we derived a generalization of the information-disturbance the- 
orm. Our generalized theorem can treat a general source (a pair of ensembles 
that give the same state) and relate Eve's information gain for an ensemble with 
Bob's information gain for another ensemble. The result is a direct consequence 
of the entropic uncertainty relation. 
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